The use of CCleaner is encountered at times during forensic investigations of
computer systems. It has been labeled an "anti-forensics" tool as it has a
secure deletion mode where it can overwrite data, filenames, and free space.

Overwriting files and filenames removes the chance to recover the data
and subject it to further analyses; hence, the anti-forensics label. There may
be some remnants and data left for analysis and comparison; but, at best you
can infer what had been wiped. What you are faced with is a case of
"You don't know what you don't know".

That is, until now. CCleaner will actually tell you what files it wiped. You
just have to work for it.

CCleaner is a system optimization software package developed and distributed
by Piriform. A free version is available for download and use. Piriform
describes the
capabilities of CCleaner as follows:

"CCleaner is our system optimization, privacy and
cleaning tool. It removes unused files from your system - allowing Windows
to run faster and freeing up valuable hard disk space. It also cleans traces of
your online activities such as your Internet history. Additionally it
contains a fully featured registry cleaner. But the best part is that it's
fast (normally taking less than a second to run) and contains NO Spyware or
Adware!

CCleaner does have a few artifacts that may be uncovered. The character
patterns of overwriting; registry values for the configuration settings; as well
as the data still resident in pagefile, volume shadows, and hibernation files
after its use have been reported on sites such as:

CCleaner, in what Piriform refers to as "secure file deletion" mode,
overwrites a file's content with other characters. There are multiple options
available in this mode with each option increasing the number of times a file is
overwritten. Even the "simple overwrite" option consisting of one pass over the
data is enough to frustrate recovery of the original data.

Filenames are overwritten as well. On an NTFS formatted drive, the filename
records in the Master File Table are replaced with the letter "Z". For example,
a file named "TEST.TXT" will have each character in the name overwritten with
the letter Z and will be renamed to "ZZZZ.ZZZ" after the process is
completed.

CCleaner, even on its most aggressive settings, will possibly leave some
information in the pagefile, volume shadows, and hibernation files on a system.
A forensics examiner could recover Internet History as well as other remnants
from these areas as they have not been overwritten by CCleaner.

When trying to gather information on data overwritten by CCleaner, files
resident in volume shadows will allow you to infer what may have been
overwritten. The same is true for files and filenames located in pagefiles and
hibernation files. The registry entries for CCleaner's configuration settings
will indicate the types of files and some locations of files that will be
affected, but does not directly tell you the names of the files, much less
their content. The difficulty is in establishing a link between the data you
believe CCleaner overwrote and the data actually overwritten by the program.

For example, in a recent case filenames and file paths recovered from a
hibernation file showed a few thousand filenames referenced that were no longer
resident on the system. Fortunately, the system had gone into hibernation
shortly before the wiping so the timing was good, allowing for a comparison of
filenames found in the hibernation file to filenames active on the system.

The configuration settings for CCleaner allowed one to infer that many of
these files were potentially files wiped by CCleaner. However, deletion in the
normal course of events for the system, such as when the Internet cache size
has been exceeded, could not be entirely excluded.

To try to address the question of what CCleaner wiped, testing was
performed on a clean system to observe and monitor how CCleaner operates. This
testing uncovered an artifact of what appears to be how CCleaner handles the
overwriting of filenames on a system. As stated previously, CCleaner will
overwrite letters in a filename with the letter "Z". In the process of
performing this task, CCleaner writes out the filename it intends to replace
multiple times, followed by the same filename lengths, this time consisting of
all Z's.

For example, as CCleaner was executing, the filename "TEST.TXT" was seen
being written out to disk a few times, followed by the pattern "ZZZZ.ZZZ". The
other filenames being overwritten were handled in the same fashion. A forensic
image of the system was taken after the execution of CCleaner had completed and
was searched for the pattern noticed in testing. A match of this pattern was
found in the unallocated space of the hard drive.

The search results looked like this:

TEST.TXT
TEST.TXT
TEST.TXT
ZZZZ.ZZZ
ZZZZ.ZZZ
ZZZZ.ZZZ

TEST1.TXT
TEST1.TXT
TEST1.TXT
ZZZZZ.ZZZ
ZZZZZ.ZZZ
ZZZZZ.ZZZ

And so forth…

In order to ensure that the monitoring programs did not affect this finding,
the same test was run again on a clean system without the monitoring tools in
place. Once again, the pattern was located in the unallocated portion of the
hard drive. Even after varying settings for CCleaner, positive findings for this
pattern were located on the hard drive. Only when the free space overwriting
option was selected did most of the artifacts go away. Some items were still
found in the pagefile; however, these were quite few compared to the amount
previously located.

The real test took place when a search for this pattern was conducted on the
hard drive in the case mentioned previously. Success!

Positive hits were found on the drive and were quite extensive. In fact, of
the few thousand filenames referenced in the hibernation file that were no
longer resident on the system, over 80% matching filenames were located and
associated with these CCleaner artifacts.

So, we had positive correlation of roughly 80% of the unique filenames found
in the hibernation file impacted by CCleaner running on the system.

Once a filename is located, even if the original file is overwritten, it is
still possible to gather more information regarding that file. Remnants and even
whole copies of files may be located once a filename is identified. If you have
a filename, searches for that name will turn up interesting and informative
results.

In this case, finding this artifact in CCleaner led to the identification of
multiple key elements. In every case since this one involving CCleaner, this
pattern has allowed the correlation of at least some information about files
that were wiped. Unfortunately, this search will not allow one to completely
locate all of the filenames of files that were overwritten, or necessarily lead
to recovering their data.